1997 Congressional Hearings
Intelligence and Security


STATEMENT OF ROBERT T. MARSH

 

FORMER CHAIRMAN

 

PRESIDENTíS COMMISSION

ON

CRITICAL INFRASTRUCTURE PROTECTION

BEFORE THE

SUBCOMMITTEE ON TECHNOLOGY

OF THE

COMMITTEE ON SCIENCE

 

U.S. HOUSE OF REPRESENTATIVES

 

NOVEMBER 6, 1997

 

 

 

 

 

INTRODUCTION

 

 

 

 

 

Good afternoon, Madame Chairwoman and members of the subcommittee. My name is Tom Marsh and I served as the Chairman of the Presidentís Commission on Critical Infrastructure Protection (the Commission). I am pleased to be here today to discuss with you the work of the Commission and outline its principal findings and recommendations reflected in our report, Critical Foundations.

 

My perspectives arise from serving on the Commission, established, as you are aware, by Executive Order 13010 on July 15, 1996. A joint government and private sector endeavor, this Commission was charged to develop a national policy and implementation strategy for protecting our critical infrastructures from physical and cyber threats and assuring their continued operation. The President identified eight infrastructures as our national life support systems: telecommunications, electric power, oil and gas transportation and storage, banking and finance, transportation, water supply systems, emergency services (such as medical, police, fire and rescue), and continuity of government services. These national infrastructures are vital in that

 

 

their incapacity or destruction would have a debilitating impact on the defense and economic security of the United States.

 

The Commission concluded its work on October 13 and submitted its report, Critical Foundations, to the White House. This report a national policy, an implementation strategy, and recommendations that we believe will serve to protect these infrastructures from both physical and cyber threats and assure their continued operation. While we have long understood the physical threat, the fast pace of technology poses us with a continually evolving cyber threat. Thus the Commissionís work and our report focus primarily on coping with the cyber threat.

STATEMENT

Rigorous Process

The Commission was uniquely tailored for its task. In recognition that the critical infrastructures are largely owned and operated by the private sector, the Commission and its oversight structure was a joint public-private undertaking. The Commission itself was comprised of representatives from federal departments and agencies and from the private sector; a Steering Committee of senior government officials, including the Attorney General, helped us weave our way through the tangled web of governmental equities; and a Presidentially-appointed Advisory Committee of key industry leaders, co-chaired by former Senator Sam Nunn and Ms. Jamie Gorelick, provided advice from the perspective of owners and operators of the infrastructures.

Every recommendation was discussed at length in a series of deliberations that addressed all feasible options and the pros and cons of each. All Commissioners accepted the final report as reasonable, balanced, and acceptable for submission to the President.

Guiding Principles

Our approach recognized that most of the infrastructures operate within an existing framework of government policy and regulation. But they are also privately owned competitive enterprises; as such, protection recommendations should not undermine a companyís competitive position. Consequently, our work recognized that any solution would have to be viable in the marketplace as well as the public policy arena. As part of our deliberations process, we adopted the following guiding principles:

 

First, we knew this could not be another Big Government effort. Government must set the example, but it is the owners and operators who are the key to success. They have a strong economic stake in protecting their assets and maximizing customer satisfaction. They understand the infrastructures and have experience in responding to disruptions.

 

Second, while we may be undergoing an information revolution, we felt that utilizing the best ideas and processes from current structures and relationships was the best way to proceed. It will be easier and faster to implement, more effective, and more likely to be accepted than creating a totally new structure. This means building on existing organizations and relationships as well as fostering voluntary cooperation. Partnerships between industry and government will be more effective and efficient than legislation or regulation.

 

Finally, this is a long-term effort which will require continuous improvement. We, as a country, must take action in practical increments. There is no "magic bullet" solution. We, as a country, must aim not only to protect the infrastructures, but also to enhance them.

 

Key Findings

In many respects, our most important finding is the need to think differently about infrastructure protection. Todayís approach was designed to deal with the Industrial Revolution, then was adjusted to address the stabilization of America after the Civil War, the Depression, World War II, and finally the nuclear stand-off of the Cold War. None of those approaches is particularly applicable to the world as it looks through the lens of information technology in the third millennium.

Information sharing is the most immediate need. There are good examples of collaborative infrastructure assurance efforts between the private sector and government, such as the North American Electric Reliability Council and the Presidentially-appointed National Security Telecommunications Advisory Committee. But there are important shortfalls. Increased sharing of threat and vulnerability information within each infrastructure, across different sectors, and between sectors and the government is essential for owners and operators to understand their risks and acquire better means of protection.

Responsibility is shared among owners and operators and the government. Owners and operators have always focused on protecting known threats to their operations, because it is in their interest. The government has always focused on protecting the nation from threats beyond the capabilities of such private self-protection, such as terrorism or sabotage sponsored by a foreign government. Today, an adversary can utilize readily-available cyber tools to effectively bypass our national defense forces to directly access the infrastructures that underpin our national economic strength. Traditional national security concerns must give way to a concept of shared threats in which responsibility must be shared between government and industry.

Infrastructures protection requires a focal point. The Commission believes that the federal governmentís role in infrastructure protection includes the traditional defense, law enforcement, intelligence, and other responsibilities that have proved effective against physical attacks, as well as the additional effort, resources, and processes to respond to the cyber dimension. The structures detailed in our recommendations are designed to expand the reach of existing capabilities, provide a means to coordinate them, and integrate them with the resources of the owners and operators.

We must adapt to a changing culture. Our culture is changing at an accelerating pace. The Information Age is still unfolding, but it is already clear that it brings with it at least as many adjustments to our way of life as did the Industrial or the Nuclear Age, and that the requirement to adapt is urgent. Certain measures are required to educate and inform our private infrastructure sectors, public servants, and citizens about the realities of the new environment.

The federal government has an important role in the new alliance. The federal government is in a position to lead by example by adopting best practices, actively managing risk, and improving security planning in its own information systems.

The existing legal framework is imperfectly attuned to deal with cyber threats. Laws move at a much slower rate of change than technology. The existing legal framework does not reflect current technology in a number of ways. Legal authorities need to be modified to allow for greater awareness of information security concerns, to enable response to and recovery from cyber events; to increase deterrence against computer crimes domestically and internationally; and, to clarify roles and responsibilities in a cyber world without jurisdictional boundaries.

Research and development are not adequate to support infrastructure protection. New threats and vulnerabilities require new tools and methods for protecting ourselves. The Commissionís proposed research and development program identifies specific areas for research focused on this need.

Fundamental Conclusion

We know our infrastructures have substantial vulnerabilities to domestic and international threats. Some have been exploited Ė so far chiefly by insiders. Protecting our infrastructures into the 21st Century requires that we develop greater understanding of their vulnerabilities and act decisively to reduce them. In the last fifteen months, the Commission has thoroughly reviewed the vulnerabilities and threats facing our infrastructures, assessed the risks, consulted with thousands of experts, and deliberated at length as to how best to assure our nationís critical foundations in the decades to come. Our fundamental conclusion is this:

Waiting for disaster is a dangerous strategy. Now is the time to act to protect our future.

We believe the situation may become far more dangerous than it is today. If we take prudent and creative steps now, however, the nation can be prepared to meet these challenges should they materialize. I should add, however, that our proposals are essentially pro-active. They address a problem that lies in the future. There is not a crisis today.

It would be misleading if I were to imply that the United States lies defenseless while our report is being read and evaluated by the Administration. That is not so. The Defense Information Systems Agency collects information about suspicious incidents and actual intrusions into Department of Defense computers. The Federal Computer Incident Response Center in the Department of Commerce serves much the same function for non-Defense agencies. The Coordinating SubGroup on Counterterrorism in the National Security Council manages crises arising from terrorism and the FBIís Office of Computer Investigations and Infrastructure Protection is the governmentís warning center for attacks on public and private infrastructures.

RECOmmendations

The Commissionís recommendations are the products of many people and much discussion. They are founded on shared core principles and they are based on fact. They are aimed at improving coordination and establishing roles for infrastructure protection, fostering partnerships among all stakeholders, and coordinating diverse interests. Our recommendations fall roughly into three categories: actions that government must take, actions that the private sector must take, and actions that require government and industry to work together in a new partnership.

Information Sharing. During our extensive outreach efforts, we heard time and again that the owners and operators of the infrastructures need more information about cyber threats. They also said that a trusted environment must be built so that they can freely exchange information with each other and with government without fear of onerous regulation, loss of public confidence, or damage to reputation. Managing the new risks inherent in an information-based society requires a different type of information exchange within the industry and between industry and government. Business and government participation in and focus on protecting our infrastructures requires a collaborative environment with a two-way exchange of information, not more burdensome regulation. The Commissionís recommendations lay the foundation for creating this new environment and focus on reviewing legal impediments to information sharing, such as antitrust provisions, federal and private liability, national security information classifications, Freedom of Information Act exemptions, and variance between state codes. Resolution of these issues is key to an effective information sharing process.

Building the Partnership. Protecting Americaís infrastructures is neither an entirely public nor entirely private endeavor. The Commission found a need for a new partnership between government and owners and operators of the infrastructures to assure their continued service. And we found that the need to share information was a foundation on which we could build that partnership. Thus we recommend the federal government take specific steps to ensure owners and operators and state and local governments are sufficiently informed and supported to accomplish their infrastructures protection roles, to include the following:

Structuring the partnership. The Commission proposes a set of structures and processes within the public and private sectors to facilitate infrastructure assurance functions and complement existing law enforcement, regulatory, and other channels of communication between and among critical infrastructure providers and the government. These new structures and processes will provide trusted and protected channels for sharing public and private infrastructure assurance information, and provide a means for focusing, enhancing, and generating additional infrastructure assurance efforts throughout the federal government and private sector. The objective is to establish national structures that will facilitate effective partnership between the federal government, state and local governments, and infrastructure owners and operators to accomplish national infrastructure assurance policy, planning, and programs. Thus we recommend:

 

Education and awareness. Key to the success of these initiatives is educating all our citizens about the emerging threats and vulnerabilities in the cyber dimension. This ranges from establishing a foundation for computer ethics to fostering an environment that will encourage an increase in information assurance specialists. The culture has changed, and our way of thinking about technology and the resulting threats and vulnerabilities must also change. The Commissionís recommendations rest on three pillars and are aimed at all levels of education, from grammar to graduate school, to include:

Leading by example. Infrastructure assurance is a joint responsibility, but the federal government has an unmistakable duty to lead the effort. Clearly, the federal government must lead by example as it reaches out to the private sector and other levels of state and local governments. The federal government must have the tools and policies required to conduct business in the cyber age. This can be facilitated by:

Legal Initiatives. The Commission recommends that major pieces of federal legislation be considered for revision in light of infrastructure assurance concerns. These include legislation that provides authorities for prevention, mitigation, response, and recovery from incidents involving the critical infrastructures. The goal is to ensure that, where appropriate, these vehicles are available to address the emerging cyber threat. We recommend the following statutes be reviewed to incorporate infrastructure assurance objectives:

We have suggested modest improvements to criminal law and procedure, such as improvements to the Federal Sentencing Guidelines that would allow sentences for attacks on critical infrastructures to more adequately reflect the true harm done.

Research and Development (R&D). Federal research and development efforts are inadequate for the size of the research and development challenge presented by emerging cyber threats. About $250 million is spent each year on infrastructure assurance-related R&D, of which 60 percent -- $150 million Ė is dedicated to information security. There is very little research supporting a national cyber defense. The Commission believes that real-time detection, identification, and response tools are urgently needed, and we concluded that market demand is currently insufficient to meet these needs. Thus we recommend doubling federal R&D funding for infrastructure protection to $500 million per year, with 20% increases each year for the next five years. Investment should target the following areas:

Information assurance, vulnerability assessment, and system analysis.

Conclusion

In summary, Mr. Chairman, I believe the findings and conclusions of the Commission to be based on accurate and reasonable information and analyses. The recommendations contained in the Commissionís report, Critical Foundations, when implemented, will create those partnerships and structures essential to reducing vulnerabilities in our infrastructures. They will provide the impetus for research and development efforts to increase information security and provide a cyber defense system. They will increase the nationís ability to prepare, protect, and respond to any threats, strategic or otherwise, directed against our infrastructures, thereby ensuring their continued, effective operation in support of our defense, economic growth, and general well being.

 

This completes my statement, Mr. Chairman. I will be pleased to answer any questions you or the Subcommittee members may have.

 

 

 

Robert T. Marsh

 

Chairman, PCCIP

 

 

 

"Tom" Marsh is the chairman of the President's Commission on Critical

Infrastructure Protection. He is tasked with bringing together the combined forces of the government and private sector to advise and assist the President by developing a strategy for protecting and assuring the continued operation of this nation's critical infrastructures. These critical infrastructures include telecommunications, electrical power systems, gas and oil transportation and storage, banking and finance, transportation, water supply systems, emergency services (medical, police, fire, and rescue) and continuity of government services.

 

 

Quick Facts About Mr. Marsh

 

 

 

in instrumentation engineering and aeronautical engineering.

 

 

Mr. Marsh has an extensive background as an aerospace consultant. He

serves as the chairman of the Board of CAE Electronics, Inc. and Comverse Government Systems Corporation. He is a director of Teknowledge Corporation and a Trustee of the MITRE Corporation. He is also the director of the Air Force Aid Society. Mr. Marsh is a member of the Board of Visitors of the Carnegie-Mellon Software Engineering Institute and was chairman of the Board of Visitors of the U.S. Air Force Institute of Technology.

 

From 1989 to 1991 he served as the first chairman of Thiokol Corporation as it transitioned from Morton-Thiokol to separate company status. Mr. Marsh is a retired Air Force general. His last assignment was serving as the commander of the Air Force Systems Command, where he directed the research, development, testing and acquisition of aerospace systems for the Air Force.

 

With his vast experience in both commercial industry and the military, Mr. Marsh brings a unique understanding of both government and industry needs in the area of critical infrastructure protection to his position as Chairman of the Commission.